TOC & Recently Viewed

Recently Viewed Topics

Change the Location of the Elasticsearch Database

If the primary volume where the Elasticsearch database is installed doesn't have enough space to store the event rate, you can use another higher capacity volume to store the LCE 5.x Elasticsearch DB.

These steps illustrate how to change the location of the Elasticsearch DB.

Steps

  1. Create a base directory at the new location.

    # mkdir /<volume>/ES/

  2. Backup the /etc/elasticsearch/elasticsearch.yml file.

    # cp -v /etc/elasticsearch/elasticsearch.yml /tmp

  3. Stop the LCE service.

    # /opt/lce/tools/stop_lce

  4. Stop the Stats Daemon.

    # service stats stop

  5. Stop the Elasticsearch service.

    # service elasticsearch stop

  6. Copy data to the new directory you created in Step 1.

    # mv -v /opt/lce/db/ <yourNewDbPath>

    Caution: This operation may take a significant amount of time depending on the size of your database.

  7. Update LCE with the path to the new Elasticsearch location.

    # /opt/lce/tools/setup-single-node.sh --override-db-dir <yourNewDbPath> --setup-es

    Note: This script will also start the Elasticsearch instance.

  8. Start the LCE service.

    # /opt/lce/tools/start_lce

  9. Display the current log directory location.

    # /opt/lce/tools/lce_cfg_utils --display log-directory

  10. Verify new events are stored in Elasticsearch at its new location.

    Get the current silo number:

    # curl 'http://<LCEServerIP>:9200/_cat/indices'

  11. Query the data in the current silo. The current silo will be the one with the highest number.

    The example below assumes the current silo is 8.

    # curl 'http://<LCEServerIP>:9200/silo8/events/_search?size=20&pretty'

    Current logs/events should be returned by the query.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.